ff84292269
This patch introduces an optional backend encryption for Heat service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Heat service. Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/722028/
45 lines
1.6 KiB
Django/Jinja
45 lines
1.6 KiB
Django/Jinja
{% set heat_api_cfn_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
|
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
|
{
|
|
"command": "/usr/sbin/{{ heat_api_cfn_cmd }} -DFOREGROUND",
|
|
"config_files": [
|
|
{
|
|
"source": "{{ container_config_directory }}/heat.conf",
|
|
"dest": "/etc/heat/heat.conf",
|
|
"owner": "heat",
|
|
"perm": "0600"
|
|
},{
|
|
"source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf",
|
|
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api-cfn.conf",
|
|
"owner": "heat",
|
|
"perm": "0600"
|
|
}{% if heat_policy_file is defined %},
|
|
{
|
|
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
|
|
"dest": "/etc/heat/{{ heat_policy_file }}",
|
|
"owner": "heat",
|
|
"perm": "0600"
|
|
}{% endif %}{% if heat_enable_tls_backend | bool %},
|
|
{
|
|
"source": "{{ container_config_directory }}/heat-cert.pem",
|
|
"dest": "/etc/heat/certs/heat-cert.pem",
|
|
"owner": "heat",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/heat-key.pem",
|
|
"dest": "/etc/heat/certs/heat-key.pem",
|
|
"owner": "heat",
|
|
"perm": "0600"
|
|
}
|
|
{% endif %}
|
|
],
|
|
"permissions": [
|
|
{
|
|
"path": "/var/log/kolla/heat",
|
|
"owner": "heat:heat",
|
|
"recurse": true
|
|
}
|
|
]
|
|
}
|